OverviewUser requests to have their own SSL Cert/Private Key loaded into the exinda for HTTPS access purposes
CauseExinda by default offers a self-generated SSL Cert/PrivateKey for HTTPS login, this cert is obviously not trusted within the network. Some companies require to change this setting because of security policies.
To install a new certificate, see steps below.
ResolutionFind below the procedure to install your own Cert and Private Key below. Please read carefully:
1.- From your own Certificate Authority, generate a certificate and private key pair (they must be related to each other in order for it to work and the private key must not be created with a pass-phrase)
2.- Temporarily, enable HTTP access in your Exinda. Connect to the exinda's CLI via SSH:
exinda# conf t
exinda(config)# web http enable
3.- Connect to the Exinda's WebUI forcing it to run HTTP rather than HTTPS:
4.- Browse to System-->Maintenance-->Import Config and run the following commands one by one. NOTE: Each one of these commands will cause a disconnection from the WebUI console, but there is nothing to be concerned about, all you need is to refresh your browser and you can go ahead with the next command. Also please refer to the attached pictures for reference on how to run each command:
exinda(config)# web https customssl certificate "<PASTE CERT HERE>"
exinda(config)# web https customssl privatekey "<PASTE PK HERE>"
5.- Then clean the cache/cookies of your browser and run the following commands from SSH to refresh the customssl feature:
exinda(config)# no web https customssl enable
exinda(config)# web https customssl enable
6.- Run the following command to verify if the customssl config was applied properly:
exinda(config)# show web https customssl
NOTE: The "Custom SSL certificate enabled" option must read "yes". If it does not, then there are two potential reasons: A.- The private key and the certificate do not belong to each other. B.- The private key was created with a pass-phrase. In case of the latter, you can obtain a private key with no pass-phrase using the following linux command on any linux machine: "/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key" where '/path/to/openssl' is the directory and the file name for the private key and 'path/to/newkeywithnopass.key' is where the new private key without the pass-phrase will be stored:
7.- Try connecting to the Exinda again via HTTPS and check the certificate:
8.- Disable the HTTP access if you wish not to have it
exindaexinda(config)# no web http enable
9.- (Optional) In case you need to wipe out the configuration explained above:
exinda(config) # no web https customssl enable
exinda(config) # no web https customssl certificate
exinda(config) # no web https customssl privatekey